Since the proliferation of the internet, organizations have been migrating to outsourced services as a means of cost reduction. The migration has created a large industry. It has also created a large internet technology (IT) security problem. For example, the recent passage of the Gramm-Leach-Bliley Act (GBLA) requires financial institutions to verify that their vendors maintain the appropriate level of IT security. The recent HIPAA regulations place similar requirements on the healthcare industry. Other industry segments are also adopting similar requirements for various standards.
Early in this process, security consisted primarily of password and physical access control. As businesses migrate toward the internet to provide connection between organizations and their outsourced service providers, the attention to IT security is growing rapidly in both scope and level of detail. Therefore, the requirement to verify the IT security of the outsourced service providers has also increased.
For example, financial institutions contract out a variety of services, such as loan processing, credit card processing, home equity services, line of credit services, etc. to outside service providers. However, in carrying out these services for the financial institutions, the outside service providers will necessarily have access and control over non-public information, such as the card holders' home addresses, bank account information, credit card information, investment holdings, etc. This non-public information is the focus of stringent security measures, which are designed to prevent unauthorized persons from having or gaining access to this information.
In response to the threat to this information, rules, regulations and procedures have been designed to ensure its protection. For example, virtually all financial institution regulations and major policies are developed and issued on an interagency basis under the direction of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is made of the Federal Reserve Board, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision and the National Credit Union Administration. The FFIEC has recently updated the IT security section of the IT Examiner's Handbook, the guideline for all financial institutions examinations. The guidelines have a wider and more technical scope than the previous version released in 1996. This, combined with the GBLA requirements, is placing an increased burden on financial institutions and their vendors regarding auditing and compliance.
Historically, outsourced service providers have been utilizing an SAS70 audit as their main source of proof that their handling of client information is appropriate for the level of security required. An SAS70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. An SAS70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing finn. A formal report including the auditor's opinion (“Service Auditor's Report”) is issued to the service organization at the conclusion of an SAS70 examination. The SAS70 was not designed as an assessment of IT security best practices. In addition, with the advent of the fast paced internet and increase in security breeches with quickly changing breeching techniques, the SAS70 is not adequate to provide the required level of information as quickly as the security procedures change.
Research shows that both clients and their outsourced service providers will incur greater costs as a result of this IT security focus. Considering that each client may have many outsourced service providers, additional requirements for manpower and financial resources to track, collect and verify the outsourced service provider's IT security information will increase overhead costs. From the outsourced service providers perspective there are cost increases as well. Larger outsourced service providers may have thousands of clients. Because each client is requesting IT security information, the outsourced service providers will be inundated with requests and burdens of proof. Because of these issues, overhead cost increases will be passed onto the end users.